invisible file name in action attribute of a form

How about posting the form values to mask1.php page and including a redirect header with required values to your secret.php page and again redirecting it to final.php page with the computed values. This is a quick thought from my side, let me know if it works. I m sure there is better sol fr this prob.

There shouldn't be an issue with this as long as you lock down the code with form validation. All the data should be checked for datatype and sanitized. You could create a hashed verification code with the form to ensure that it was sent from that page (not spoofed), although this can be circumvented. Making multiple redirects sounds a bit extreme.

php forms
self posting, the user sees very little not even a filename, everything is on the server

<?php // form processing verification
if isset($_post['bla bla bla']) { /*mysql bla bla bla etc */ }
?>
<html><head></head><body><form method='post' name='form1'>

the default action for a form is to post to itself

you mean u dont want user see where the form redirected when the user view its source code?

<?php

if(isset($_POST['btnsubmit'])){
echo "<script>window.location='secret.php';</script>";
}

?>
<form name='form1' method='post'>
<input type='submit' name='btnsubmit' value='go' />
</form>

tried and tested....this should hide the action attribute of the form... but it still show in the url. if you want to change the url. then you have to use .htaccess. after all you only want the action attribute to be invisible... so i just give u what u ask.

@AB - thanks - straightforward - cutting through the nonsense as usual. How about validation? Will lacking an action attribute cause failure?

As for js redirects: will not the client pick up the redirect as it is client-based (js), i.e. redirect after page has loaded. Whereas (*I think*) the php header() will redirect before page load on client and therefore hide its tracks. Thought WCAG had suggested that all redirects should be server-side. Maybe wrong here.

What about page refresh? Won't sending the form to itself resend the form on refresh?

Is all this 'hiding' necessary in the first place? $_SERVER could check the 'sender' and if it is not the form sending page - alert, alert, alert. I know it can't be trusted 100%.

$_SESSION variables could be used to store a string (e.g. salt + unixdatetime + another salt) which could be checked against a hidden field (hashed) in the form.

The receiving form handler page then checks the session variable for a value and then hashes it and then compares it to the hidden form field. If 'true' then form "must" have come from the true form page. Where 'false' bounce user back to form page with a message.

ei by the way im not copying AB's post. Actually when i read this post, i only see kivata and ardav post. And im pretty slow coz. i test it 1st and run on my localhost before i submit my solutions. Upon submitting i was surprise AB's post 1st on my post.

ei by the way im not copying AB's post. Actually when i read this post, i only see kivata and ardav post. And im pretty slow coz. i test it 1st and run on my localhost before i submit my solutions. Upon submitting i was surprise AB's post 1st on my post.

Yeah, yeah. I always use that excuse too! :icon_lol:

Yeah, yeah. I always use that excuse too! :icon_lol:

waaaaaaaaaaaaaaaaa! seriously dude! i didn't mean it!

@AB - thanks - straightforward - cutting through the nonsense as usual. How about validation? Will lacking an action attribute cause failure?

no the default action is valid to xhtml and html5, it is only necessary to supply an action if the form is NOT posting to itself

As for js redirects: will not the client pick up the redirect as it is client-based (js), i.e. redirect after page has loaded. Whereas (*I think*) the php header() will redirect before page load on client and therefore hide its tracks. Thought WCAG had suggested that all redirects should be server-side. Maybe wrong here.

quite correct, the php given should have used a header redirect

What about page refresh? Won't sending the form to itself resend the form on refresh?

no 'post' destroys the data

Is all this 'hiding' necessary in the first place? $_SERVER could check the 'sender' and if it is not the form sending page - alert, alert, alert. I know it can't be trusted 100%.

$_SESSION variables could be used to store a string (e.g. salt + unixdatetime + another salt) which could be checked against a hidden field (hashed) in the form.

The receiving form handler page then checks the session variable for a value and then hashes it and then compares it to the hidden form field. If 'true' then form "must" have come from the true form page. Where 'false' bounce user back to form page with a message.

didnt suggest the process was necessary, but the OP could be creating the login page for nuclear missile control sites.... :)

Lgin: xxJoshua,
'Hello Doctor, Do you want to play a game?'
Global Thermonuclear War

only they know how much security/obscurity they require

Thank you AB - eye in it's place - as usual. Yes, noticed OP wanted anonymity. Funny, but I can't see how no action attribute in form is more 'secure' when viewed in 'view source' as it is obvious that the form is being sent to its parent page.

You sure about that 'post' thing? I did a quick mock-up - sent the form - refreshed/reloaded page and got a browser popup asking if I wanted to resend the data.

browser actions and published standards are out of sync again
the
you are probably right, but a form page would not redisplay the page on submit, it would either display a totally different page without the form, or resub the form is a valid action

<?if isset($_submit['something']) {echo 'completed form page html'} else { echo 'form page html' /* or redirect */ }?>

OK AB. Thanks again.

It seems to me that what I want is a bit unnecessary. Therefore, I'll just use

<?php
if(isset($_POST["submitButton"]) && $_POST["submitButton"] == "ADD" &&
   isset($_POST["hiddenId"]) && isset($_POST["hiddenTitle"]) &&
   isset($_POST["hiddenPrice"]) && isset($_POST["hiddenPage"])){

    require_once "class/class.shop.php";

    $itemId = $_POST["hiddenId"];
    $itemTitle = $_POST["hiddenTitle"];
    $itemPrice = $_POST["hiddenPrice"];
    $returnPage = $_POST["hiddenPage"];
    
    //And other things

    header("location: ".$returnPage);   //Go back where you came from
    exit;

} else {
    header("location: index.php");
    exit;
}
?>

Do you think this is OK?

from a redirection/post check point of view - looks fine to me. Your only problem could come from form spoofers, where they copy your form code (html), place it in a page on their own webserver pointed at your "action" reference or the page containing the form. This way they can change your hidden attributes to whatever they want. Therefore you need a strict data validation routine. I suggested a hash solution - perhaps that would solve the spoofing - but haven't tried it myself, so can't comment further.

Understood. You are right. Is there any example for me to solve this spoofing problem that I can apply to my above example?
Thanks

I suggested a hash solution

Try it.

Do you mean something like this. Is this good enough?

index.php

<form action="process.php" method="post">
<input type='hidden' name='hiddenEncrypted'  value='c6d8d5bad9d62f25fbf5dd89d589b9d5b04b59e2' />
<input type='submit' name='submitButton'  value='ADD' />
</form>

process.php

<?php
if(isset($_POST["submitButton"]) && $_POST["submitButton"] == "ADD" &&
  isset($_POST["hiddenEncrypted"]) &&  $_POST["hiddenEncrypted"] == SHA1("123ABC")){

    require_once "class/class.shop.php";

    $itemId = $_POST["hiddenId"];
    $itemTitle = $_POST["hiddenTitle"];
    $itemPrice = $_POST["hiddenPrice"];
    $returnPage = $_POST["hiddenPage"];
    
    //And other things

    header("location: ".$returnPage);   //Go back where you came from
    exit;

} else {
    header("location: index.php");
    exit;
}
?>

No. I don't think that'll work, because the hash is static - there's no degree of variability nor a session variable to check it against.

In your form page:

...
$confirmstring = md5("xxxYDi092" . time() . "xReb69gyT");
$_SESSION['form7confirmstring'] = $confirmstring;
...
<input type = "hidden" id="confirm" name="confirm" value="<?php echo $confirmstring;?>" />
...

In your form handling page (or top of your form page if sending to self):

if(!isset($_POST['confirm']) || !isset($_SESSION['form7confirmstring']) || $_POST['confirm'] != $_SESSION['form7confirmstring']){
    header("Location:http://www.example.com/index.php?msg=error6");
    exit;
}